Chat with us, powered by LiveChat CSIA 310 PART B | Gen Paper
+1(978)310-4246 credencewriters@gmail.com
  

Project #1 Incident Response Report – Part B: Summary

After Action Report

By:

CSIA 310

1

This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00

https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/

Introduction

Sifers-Grayson (SG) is a well-established company with its headquarter in Grayson County,

Kentucky, USA. SG is a typical American style family owned and operated business. The CEO is

the great-grandson of one of the original founder; his name is Ira John Sifer, III. SG’s COO is

Michael Coles, Jr., also a family member – CEO great nephew. Mary Beth Sifer, also a family

member, acts as the CFO and the head of the company’s personnel.

Recently, SG has secured a series of business contracts with the Department of Defense and

Homeland Security. Due to the nature of the business agreement with the 2 government agencies,

SG requires to be fully compliant with NIST 800-171 and Federal Acquisition Regulation

(DFARS).

SG was victim of 2 ransomware incidents (first 3 years ago, and second 3 months ago) which

caused substantial financial and credibility loss. In both incidents, SG opted to pay the ransom

because the company had never implemented a proper data backup process which could had be

used to recover the encrypted data without paying the ransom (Best practices for protecting your

data from ransomware, n.d.).

Although, SG has experienced cybersecurity breaches, the management never toke any real

action to improve the company’s security posture. However, the recent contracts with the

government agencies, which demanded strict compliance requirements, have imposed a full

review of the company’s security posture as well as a proper plan of actions to secure company’s

assets.

SG CEO, Ira Sifer, acknowledged that the company cannot stands the market competition

without a proper security posture, a maturity level that can only be achieved by having an

effective IT security process in place driven by skilled and empowered security team. Modern

businesses cannot operate at the industry level without technology – they all depend from online

services such as financial services, mobility, cloud computing, etc. (The Importance of

Technology for Modern Business Survival, 2016). Rigorous sets of policies, processes and

procedures will needed to be implemented company wide. The company’s IT environment, the

infrastructure and network topology, the identity management process including the

2

This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00

https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/

authentication protocols, and the entire data assets needs to be fully reviewed, improved, and

constantly monitored from vulnerabilities and threats.

SG must have a full insights onto its security posture, know its weaknesses, and proactively fix

them. With this goal as the new company priority, SG hired a Penetration Test consulting

company to help it meet the security requirements needed to be aligned with both the NIST 800-

171 and DFARS standards. A penetration test, also known as pen-test, is a simulated hacking

attack designed to help organizations in discovering security vulnerabilities (What is Penetration

Testing? – Pen Testing, 2019).

The contracted security consulting firm was immediately engaged, and its penetration test Red

Team started with an full assessment based on a set of questionnaire and interviews. The actual

penetration test was conducted on a normal business day. It consisted of 2 parts. Part 1 was

planned and delivered to assess the network and the systems to see if they can be hacked. Red

team searched and tested exploitable vulnerabilities that allow them to gain access, breach and

compromise the environment. Part 2 was designed to ensure that proper mitigation controls were

going to be implemented.

The initial quick assessment and the full test revealed many vulnerability, such as the lack of any

security policies, backup practices, incident response procedure, business continuity and disaster

recovery solution, and most important the lack of proper security awareness and training –

employees had no clue about social engineering and phishing emails. Additionally, the

assessment pointed out that the company IT staff was understaffed and lacked the proper skills

and experience to effectively manage, secure, and protect the network, the IT systems, and the

data.

Penetration Test Result and Incident Analysis

The penetration test conducted by the security consulting firm Red Team last 24 hours. The test’s

scope and rule of engagement (RoE) included several agreed attack vectors. The resources

assessed during the test include, but were not limited, to public facing (internet accessible) end

points such as web applications, network infrastructures, computer systems, data, and people.

The simulated attack was very successful in getting access to the company’s private data and to

the latest source code for the new AX10 Drone System. Results of the test were eye-opening,

3

This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00

https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/

highlighting major vulnerabilities among people, processes, policies, and technology. The Red

Team exploited tons of security weaknesses including services, applications flaws, end-user

behavior, and application flaws.

Based on threat modeling, SG and the Security Consulting firm have agreed and defined three

attack vectors. The attack vectors agreed upon were:

Attacks to corporate system from external access – An internet-based attack

aimed to gain useful information about or access the target systems.

Lateral movements from target system to management system – An internal

attack aimed to access the target management system from a system with an

identified or simulated security weakness on the corporate network that

mimics a malicious device.

Physical access – Attempt to gain access to the physical location.

The first attack consisted in gaining unauthorized access into the company’s Engineering R&D

servers. The penetration tests focused on external attacks against hosts to determine the

sensitivity of any information retrieved if exploitation was successful.

The network and servers were not protected by Firewalls, and neither had a sort of automated

detection system, therefore the Red Team was able to exploit the unprotected network, gain

access, and reach the Data Center computer systems.

The Red Team was able to exfiltrate all the engineering design documentation and the source

code for the new AX10 drone system. The attack revealed weak technology, processes and lack

of security policies.

The second attack was developed to test both physical security and protection against internal

threats. The physical security tests attempt to circumvent physical security to gain unauthorized

access to critical assets. It simulated an attack by an external untrusted individual, including any

rogue untrusted SG employee. Consequently, the internal attack was designed to determine the

security posture against threats originating from the corporate environment.

The attack consisted in leveraging employee kindness as they opened office’s doors to pretended

to be new employees, using their personal RFID cards, and without questioning who these

4

This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00

https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/

individual were and why they didn’t have an RFID card. Once inside the Red Team left several

malicious weaponized USB Drives scattered around the lunch room tables in the headquarters

building employee’s lounge area. These USB Drives contained an hidden key-logging software

which allowed the Red Team to capture all the key strokes as they were entered through the

keyboard, including credential passwords. The attack was fairly successful, as the Red Team was

able to obtain about 20% of the employee login credentials. Red Team leveraged the stolen and

compromised credential to move laterally through the company’s computer systems, till they

accessed the workstations used to burn (wirte) PROMs into the drone computer system, and they

installed a malware onto the PROM which was then placed in a testing drone. The Red Team was

able to take full remote control of the drone during a flying test. This attack demonstrated that

employees are the weakest link as they are not proper trained nor conscious of social

engineering threats. Proper technical safeguards were missed to prevent removable media to be

attached to the computer systems.

Finally the Red Team used some of the compromised credentials to exploit users using Social

Engineering techniques – they initiate a Phishing email attack. The test was designed with the

intent of exploiting weaknesses in the human factor to obtain an access path into the

organization. The crafted email tricked employees to click on embedded links which simulated a

malicious endpoint collecting email and IP addresses of these that have clicked the link. The Red

Team reported that 80% of the employees clicked on a link of a cute kittens and cats videos, 20%

were fooled by a business news story video, and 95% opened the link for sports event wrap-up

for the Kentucky Volunteers basketball team. Employees once again failed drastically, revealing

the lack of proper knowledge on how to best protect SG, mainly due to inadequate, and

insufficient training (process/policy failures).

Recommendations

Based on the results and finding of the penetration test conducted, a series of mitigation and

improvements are highly recommended. These are grouped as people, technology, processes &

procedures, and they are listed below.

People

SG’s employees, including IT personnel, executives and upper management, should attend a

regular security awareness and training program, at least once a year. Training should be

5

This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00

https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/

mandatory. Security training should not only be a compliance requirement but the first line of

defense that can help improve SG security posture and strengthen customers’ trust in the

organization. The training should meant to provide employees with guidance on security best

practices, latest security threats and operational security initiatives. Many cyber attacks target

users’ access to company assets. Without basic security training, users are unaware of the

different methods used by bad actors, how to protect against them, and the importance of

consistent adherence to security policy. As the first line of defense against bad actors, users must

be educated to prevent the exposure of vulnerabilities through common tactics, such as phishing

and leveraging elevated persistent administrative access (Security Awareness Training: Secure

Your Employees, 2020). If SG employees should have had proper training, they would have

known to not insert the founded USB drives onto the computer. Also, they would have known to

not let anyone in the office’s facility without proper badges and access card. Finally, they would

have known how to evaluate if an email contains a malicious content and not to open links from

it. SG executives should require to invest on company’s first asset – people – and assure they are

fully trained. Also, the company should acknowledge IT as the foundation to its business, hence

empowered the team accordingly. IT department should not be understaffed, and if not possible it

is recommended to leverage outsourced support from 3rd party specialized consulting firms. IT

personnel should allowed to train for the latest technology and security defensive solutions. They

represent the backbone for much of the day-to-day business activities. Therefore, they should

learn to be agile and flexible, proactive, innovative and visionary in driving continuous

improvements and evolution. IT should own and be made responsible to develop policies,

processes, and procedure to ensure proper security posture is achieved, and this includes annual

audit reviews and assessments. If the IT team would have not been understaffed and they would

have been properly skilled, the network could have been configured with better security

guardrails and some of the attacks would have been blocked at its source.

Technology

Modern businesses depend highly on technology. Proper governance of the technology includes

identifying (proactively) vulnerabilities, assess and manage risks, and mitigating them. These are

critical functions that the company IT department should function continuously (24/7). When

assessing vulnerabilities there are 4 defined categories to consider: hardware; software; network;

people. An effective security solution must be designed and implemented immediately. SG

6

This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00

https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/

should consider implementing a protection approach based on multi-layered security model –

something like a castle (Security et al., n.d.). If you study castles, you learn that they are

protected from external moats, bridges, sturdy entry doors and layered perimeter walls. This

model allowed a castle to defend its self from several attacks and prevent penetration. Also, it

intimidates attackers or even better suggests to abort any attempt of attacks. If compared to the

analogy of the castle defensive structure, today network firewall are the equivalent of the castle’s

tall and layered walls. By following the same concept, SG should have had several network

firewall, starting from the closest outside entry point, passing through a DMZ area, and ending at

the internal network. Also it is recommended to implement a mix of diversified multi-vendor

Firewall appliances (different make and models) to avoid that one exploitable vulnerability

would effect all (Tulloch, 2017). If one of them is breached chances are that the others can block

the intruder. A Network Intrusion Detection and Prevention System (IDS, IPS) should be in

place. Just as a castle’s moat filled with water and alligators, the IDS/IPS would detect and

eliminate the intrusion (What is IDS and IPS? | Juniper Networks, 2019). Network ports are

similar to the castle’s bridges and doors, and analogically they are closed or opened as needed,

meaning traffic would be allowed or denied based on proper rules. Additionally, SG should

consider addressing proper insights by monitoring the entire environment, encrypt data at rest

and in transition, and secure endpoints such as servers and desktops with anti-virus and anti-

malware software. Modern endpoint protection software is capable to block rouge external

attached media and reduce phishing attack success surface. If SG would engage in applying the

above recommendation, the company will have the proper counter attack tools to stop tentative

of compromise at its source or contain the breach at the beginning stages, hence limiting

damages. Security, as it stands at the core of any modern businesses, must be addressed and

implemented.

Processes-Procedures

As results of the penetration test, one thing that stands out is that SG has failed dramatically.

Attacks and breaches were carried out undetected – no one was aware of what was happening.

One of the root causes of such is the lack of proper monitoring, which otherwise it would have

detected some of the anomalies and generated some sort of alert. Even with proper monitoring, if

the company does not have adequate set of policies, processes and procedures in place, it would

be ineffective. To start, SG needs a strict policy about allowing people in the office facility.

7

This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00

https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/

Entering the building without badges, and access cards needs to be forbidden to all. External

guests will need to be vetted and escorted until supervised by a company employee which

assumes the responsibility afterword. Additionally processes and procedures will need to be

developed and implemented for Incident Handling and First Response.

Lesson Learned

The penetration test served as a woke up call for SG. Results made clear that the company needs

to invest into securing the infrastructure. Mitigation recommendations will allow SG to improve

the security posture, however, the company must commit to continue identify and mitigate risks

repeatedly. Cyber criminal continue to develop new tactics, techniques, and procedures (TTPs)

as new vulnerabilities are discovered, especially the Zero Day ones, however, the overall security

process should never stop. SG assets must be safeguarded, hence IT personnel must train and

improve their skills.

SG must:

Have a dedicated security team

Expand investments in security

Enforce security awareness and training company-wide

Enforce regular vetting of employees and partners

Implement regular auditing

Have regular penetration tests, possibly conducted by in-house Red Team

References:

Best practices for protecting your data from ransomware. (n.d.). Www.securitymagazine.com. Retrieved

February 8, 2021, from https://www.securitymagazine.com/articles/94075-best-practices-for-protecting-

your-data-from-ransomware

Ryan. (2019, June 18). Encryption in-transit and Encryption at-rest – Definitions and Best Practices.

Ryadel. https://www.ryadel.com/en/data-encryption-in-transit-at-rest-definitions-best-practices-tutorial-

guide/

Security Awareness Training: Secure Your Employees. (2020). Rapid7.

https://www.rapid7.com/fundamentals/security-awareness-training/

8

This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00

https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/

Security, C. P. in I., December 18, in S. on, 2008, & Pst, 6:05 A. (n.d.). Understanding layered security

and defense in depth. TechRepublic. https://www.techrepublic.com/blog/it-security/understanding-

layered-security-and-defense-in-depth/

The Importance of Technology for Modern Business Survival. (2016, September 9). My Computer

Career. https://www.mycomputercareer.edu/the-importance-of-technology-for-modern-business-survival/

Tulloch, M. (2017, July 13). Firewalls: Should you have a single vendor or multi-vendor strategy?

TechGenix; TechGenix. http://techgenix.com/firewalls/

What is Penetration Testing? – Pen Testing. (2019, October). Cisco.

https://www.cisco.com/c/en/us/products/security/what-is-pen-testing.html

What is IDS and IPS? | Juniper Networks. (2019). Juniper.net. https://www.juniper.net/us/en/products-

services/what-is/ids-ips/

9

This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00

https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/
Powered by TCPDF (www.tcpdf.org)

error: Content is protected !!